This chapter is from the book

Configuring Physical Interfaces: This section discusses Cisco ASA interfaces that can be connected to a network through physical cabling, as well as the parameters that determine how the interfaces will operate.

Configuring VLAN Interfaces: This section covers logical interfaces that can be used to connect an ASA to VLANs over a trunk link.

Configuring Interface Security Parameters: This section explains the parameters you can set to assign a name, an IP address, and a security level to an ASA interface.

Configuring the Interface MTU: This section discusses the maximum transmission unit size and how it can be adjusted to set the largest possible Ethernet frame that can be transmitted on an Ethernet-based ASA interface.

Verifying Interface Operation: This section covers the commands you can use to display information about ASA interfaces and confirm whether they are operating as expected.

A Cisco Adaptive Security Appliance (ASA) must be configured with enough information to begin accepting and forwarding traffic before it can begin doing its job of securing networks. Each of its interfaces must be configured to interoperate with other network equipment and to participate in the IP protocol suite. This chapter discusses each of these topics in detail.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 3-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”

Table 3-1. “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Configuring Physical Interfaces

1–4

Configuring VLAN Interfaces

5–7

Configuring Interface Security Parameters

8–10

Configuring the Interface MTU

11

Verifying Interface Operation

12

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

Which of the following answers describe an attribute of a redundant interface? (Choose all that apply.)

A redundant interface load balances traffic across member interfaces.

A redundant interface is made up of two or more physical interfaces.

An ASA can have up to eight redundant interface pairs.

Each member interface of a redundant interface cannot have its own security level.

IP addresses must be applied to the member physical interfaces of a redundant interface.

The member interfaces swap the active role when one of them fails.

What must happen for a member interface to take over the active role as part of a redundant interface?

Three hello messages must be missed.

The link status of the current active interface goes down.

A member interface, which was previously active before it went down, regains its link status.

Its member priority is higher than other member interfaces.

A timer must expire.

Which ASA command can be used to display a list of all physical interfaces?

how interfaces physical

show interface list

show hardware

show version

show ports

show

Suppose you want to double the bandwidth between an ASA’s outside interface and a neighboring switch. A single GigabitEthernet link exists today; a second link would also add redundancy. Which one of the following describes the best approach to meet the requirements?

Bring up a second GigabitEthernet interface on the same VLAN as the first one.

Configure the two interfaces as a redundant interface.

Configure the two interfaces as an EtherChannel.

Dual links are not possible on an ASA.

You have been assigned the task of configuring a VLAN interface on an ASA 5510. The interface will use VLAN 50. Which one of the following sets of commands should be entered first to accomplish the task?

interface vlan 50
no shutdown

interface ethernet0/0
no shutdown

interface ethernet0/0.5
vlan 50 no shutdown

interface ethernet0/0.50
no shutdown

Which of the following are correct attributes of an ASA interface that is configured to support VLAN interfaces? (Choose all that apply.)

The physical interface operates as an ISL trunk.

The physical interface operates as an 802.1Q trunk.

The subinterface numbers of the physical interface must match the VLAN number.

All packets sent from a subinterface are tagged for the trunk link.

An ASA can negotiate a trunk link with a connected switch.

Which one of the following answers contains the commands that should be entered on an ASA 5505 to create an interface for VLAN 6?

interface vlan 6

vlan 6

interface ethernet0/0.6

interface ethernet0/0.6

Which of the following represent security attributes that must be assigned to an active ASA interface when the ASA is in routed firewall mode? (Choose three answers.)

IP address

Access list

Interface name

Security level

Interface priority

MAC address

Which one of the following interfaces should normally be assigned a security level value of 100?

outside

dmz

inside

None of these answers are correct.

An ASA has two active interfaces, one with security level 0 and one with security level 100. Which one of the following statements is true?

The interface is not ready to use; the no shutdown command has not been issued.

The interface is not ready to use; it doesn’t have an IP address configured.

The interface is not ready to use; it doesn’t have a MAC address configured.

The interface is not ready to use; it doesn’t have a security level configured.

The interface is not ready to use; it doesn’t have an interface name configured.

Answer E might also be true, but you cannot confirm that a security level has been configured from the command output given. Because an interface name has not been configured with the nameif command, neither the interface name nor the security level is shown in the output.